completed basic permission management

app/controllers/user_groups_controller.rb

 class UserGroupsController < ApplicationController
-  before_action :set_user_group, only: [:show, :update, :destroy]
+  before_action :authenticate_user!
+  before_action :set_user_group, only: [:update, :destroy]
+  before_action :authentiate_group_admin, only: [:update, :destroy]
 
-  # GET /user_groups
   # GET /user_groups.json
   def index
     @user_groups = UserGroup.all
   end
 
-  # GET /user_groups/1
-  # GET /user_groups/1.json
-  def show
-  end
-
-  # POST /user_groups
   # POST /user_groups.json
   def create
     @user_group = UserGroup.new(user_group_params)
@@ -48,6 +43,10 @@ class UserGroupsController < ApplicationController
 
     # Never trust parameters from the scary internet, only allow the white list through.
     def user_group_params
-      params.fetch(:user_group, {})
+      params.permit(:name, :description)
+    end
+
+    def authorize_group_admin
+      head :unauthorized unless @user_group.owner==current_user
     end
 end

app/controllers/users_controller.rb

+class UsersController < ApplicationController
+  before_action :authenticate_user!
+
+  # GET /users.json
+  def index
+    @users = User.confirmed
+  end
+
+end

app/models/user.rb

@@ -15,6 +15,14 @@ class User < ActiveRecord::Base
   validates :email, :uniqueness => true
   validates :password, :confirmation => true
 
+  #---Scopes----
+  scope :confirmed, -> { where("confirmed_at IS NOT NULL") }
+  # ----------------------------------------
+  # :section: Class Methods
+  # ----------------------------------------
+  def self.json_keys #public attributes
+    [:id, :first_name, :last_name]
+  end
   # ----------------------------------------
   # :section: Permission Checkers
   # ----------------------------------------
@@ -76,7 +84,7 @@ class User < ActiveRecord::Base
   def name
     "#{self.first_name} #{self.last_name}"
   end
-  
+
   protected
 
 

app/models/user_group.rb

@@ -24,39 +24,11 @@ class UserGroup < ApplicationRecord
   validates :owner_id, :presence => true
 
 
-  #---------------
-  #:section: Utility Methods
-  #---------------
-
-  # Returns a json model of the UserGroup.
-  # ===attributes
-  # * +options+: hash, pass <tt>{}</tt> for no options, or <tt>{:include_members=>true}</tt>
-  #
-  # ===examples
-  #
-  #  #Just the group
-  #  user_group.as_json({}) =
-  #  {"name"        => "Lab Group",
-  #   "description" => "Users working on NILM in the lab",
-  #   "id"          => 3}
-  #
-  #  #Include the members
-  #  user_group.as_json({:include_members=>true}) =
-  #  {"name"        => "Lab Group",
-  #   "description" => "Users working on NILM in the lab",
-  #   "id"          => 3}
-  #   :members      => [
-  #       {"first_name" => "John",
-  #        "last_name"  => "Ledner",
-  #        "id"         => 3,
-  #        :confirmed   => true,
-  #        }, ... ]
-  #   }
-  def as_json(options)
-     group = super(only: [:name, :description, :id])
-     if(options[:include_members])
-       group[:members] = self.users.as_json(:abbreviated=>true)
-     end
-     return group
+  # ----------------------------------------
+  # :section: Class Methods
+  # ----------------------------------------
+  def self.json_keys #public attributes
+    [:id, :name]
   end
+
 end

app/views/permissions/create.json.jbuilder

@@ -2,6 +2,7 @@ json.data do
   json.extract! @permission, *Permission.json_keys
   json.target_name @permission.target_name
   json.target_type @permission.target_type
+  json.removable @permission.user_id!=current_user.id
 end
 
 json.partial! "helpers/messages", service: @service

app/views/user_groups/_user_group.json.jbuilder

-json.extract! user_group, :id, :created_at, :updated_at
-json.url user_group_url(user_group, format: :json)
\ No newline at end of file

app/views/user_groups/index.json.jbuilder

-json.array! @user_groups, partial: 'user_groups/user_group', as: :user_group
\ No newline at end of file
+json.array! @user_groups do |group|
+  json.extract! group, *UserGroup.json_keys
+end

app/views/user_groups/show.json.jbuilder

-json.partial! "user_groups/user_group", user_group: @user_group
\ No newline at end of file

app/views/users/index.json.jbuilder

+json.array! @users do |user|
+  json.extract! user, *User.json_keys
+end

config/routes.rb

@@ -6,6 +6,7 @@ Rails.application.routes.draw do
   resources :db_streams, only: [:update]
 
   mount_devise_token_auth_for 'User', at: 'auth'
-  resources :user_groups
+  resources :users, only: [:index, :create, :destroy]
+  resources :user_groups, only: [:index, :create, :destroy]
   resources :permissions, only: [:index, :create, :destroy]
 end

spec/controllers/user_groups_controller_spec.rb

+# frozen_string_literal: true
 require 'rails_helper'
 
-# This spec was generated by rspec-rails when you ran the scaffold generator.
-# It demonstrates how one might use RSpec to specify the controller code that
-# was generated by Rails when you ran the scaffold generator.
-#
-# It assumes that the implementation code is generated by the rails scaffold
-# generator.  If you are using any extension libraries to generate different
-# controller code, this generated spec may or may not pass.
-#
-# It only uses APIs available in rails and/or rspec-rails.  There are a number
-# of tools you can use to make these specs even more expressive, but we're
-# sticking to rails and rspec-rails APIs to keep things simple and stable.
-#
-# Compared to earlier versions of this generator, there is very limited use of
-# stubs and message expectations in this spec.  Stubs are only used when there
-# is no simpler way to get a handle on the object needed for the example.
-# Message expectations are only used when there is no simpler way to specify
-# that an instance is receiving a specific message.
+RSpec.describe UserGroupsController, type: :request do
+  let(:grp1) { create(:user_group, name: 'Group1') }
+  let(:grp2) { create(:user_group, name: 'Group2') }
 
-RSpec.describe UserGroupsController, type: :controller, broken: true do
+  let(:john) { create(:user, first_name: 'Jonh') }
 
-  # This should return the minimal set of attributes required to create a valid
-  # UserGroup. As you add validations to UserGroup, be sure to
-  # adjust the attributes here as well.
-  let(:valid_attributes) {
-    skip("Add a hash of attributes valid for your model")
-  }
+  describe 'GET index' do
+    before { john.confirm }
 
-  let(:invalid_attributes) {
-    skip("Add a hash of attributes invalid for your model")
-  }
-
-  # This should return the minimal set of values that should be in the session
-  # in order to pass any filters (e.g. authentication) defined in
-  # UserGroupsController. Be sure to keep this updated too.
-  let(:valid_session) { {} }
-
-  describe "GET #index" do
-    it "assigns all user_groups as @user_groups" do
-      user_group = UserGroup.create! valid_attributes
-      get :index, params: {}, session: valid_session
-      expect(assigns(:user_groups)).to eq([user_group])
-    end
-  end
-
-  describe "GET #show" do
-    it "assigns the requested user_group as @user_group" do
-      user_group = UserGroup.create! valid_attributes
-      get :show, params: {id: user_group.to_param}, session: valid_session
-      expect(assigns(:user_group)).to eq(user_group)
-    end
-  end
-
-  describe "GET #new" do
-    it "assigns a new user_group as @user_group" do
-      get :new, params: {}, session: valid_session
-      expect(assigns(:user_group)).to be_a_new(UserGroup)
-    end
-  end
-
-  describe "GET #edit" do
-    it "assigns the requested user_group as @user_group" do
-      user_group = UserGroup.create! valid_attributes
-      get :edit, params: {id: user_group.to_param}, session: valid_session
-      expect(assigns(:user_group)).to eq(user_group)
-    end
-  end
-
-  describe "POST #create" do
-    context "with valid params" do
-      it "creates a new UserGroup" do
-        expect {
-          post :create, params: {user_group: valid_attributes}, session: valid_session
-        }.to change(UserGroup, :count).by(1)
-      end
-
-      it "assigns a newly created user_group as @user_group" do
-        post :create, params: {user_group: valid_attributes}, session: valid_session
-        expect(assigns(:user_group)).to be_a(UserGroup)
-        expect(assigns(:user_group)).to be_persisted
-      end
-
-      it "redirects to the created user_group" do
-        post :create, params: {user_group: valid_attributes}, session: valid_session
-        expect(response).to redirect_to(UserGroup.last)
+    context 'with authenticated user' do
+      it 'returns user groups' do
+        # force lazy evaluation of let to build groups
+        grp1; grp2;
+        @auth_headers = john.create_new_auth_token
+        get "/user_groups.json", headers: @auth_headers
+        expect(response.header['Content-Type']).to include('application/json')
+        body = JSON.parse(response.body)
+        expect(body[0]["id"]).to eq(grp1.id)
+        expect(body[1]["id"]).to eq(grp2.id)
       end
     end
-
-    context "with invalid params" do
-      it "assigns a newly created but unsaved user_group as @user_group" do
-        post :create, params: {user_group: invalid_attributes}, session: valid_session
-        expect(assigns(:user_group)).to be_a_new(UserGroup)
-      end
-
-      it "re-renders the 'new' template" do
-        post :create, params: {user_group: invalid_attributes}, session: valid_session
-        expect(response).to render_template("new")
+    context 'without sign-in' do
+      it 'returns unauthorized' do
+        get "/user_groups.json"
+        expect(response.status).to eq(401)
       end
     end
   end
-
-  describe "PUT #update" do
-    context "with valid params" do
-      let(:new_attributes) {
-        skip("Add a hash of attributes valid for your model")
-      }
-
-      it "updates the requested user_group" do
-        user_group = UserGroup.create! valid_attributes
-        put :update, params: {id: user_group.to_param, user_group: new_attributes}, session: valid_session
-        user_group.reload
-        skip("Add assertions for updated state")
-      end
-
-      it "assigns the requested user_group as @user_group" do
-        user_group = UserGroup.create! valid_attributes
-        put :update, params: {id: user_group.to_param, user_group: valid_attributes}, session: valid_session
-        expect(assigns(:user_group)).to eq(user_group)
-      end
-
-      it "redirects to the user_group" do
-        user_group = UserGroup.create! valid_attributes
-        put :update, params: {id: user_group.to_param, user_group: valid_attributes}, session: valid_session
-        expect(response).to redirect_to(user_group)
-      end
-    end
-
-    context "with invalid params" do
-      it "assigns the user_group as @user_group" do
-        user_group = UserGroup.create! valid_attributes
-        put :update, params: {id: user_group.to_param, user_group: invalid_attributes}, session: valid_session
-        expect(assigns(:user_group)).to eq(user_group)
-      end
-
-      it "re-renders the 'edit' template" do
-        user_group = UserGroup.create! valid_attributes
-        put :update, params: {id: user_group.to_param, user_group: invalid_attributes}, session: valid_session
-        expect(response).to render_template("edit")
-      end
-    end
-  end
-
-  describe "DELETE #destroy" do
-    it "destroys the requested user_group" do
-      user_group = UserGroup.create! valid_attributes
-      expect {
-        delete :destroy, params: {id: user_group.to_param}, session: valid_session
-      }.to change(UserGroup, :count).by(-1)
-    end
-
-    it "redirects to the user_groups list" do
-      user_group = UserGroup.create! valid_attributes
-      delete :destroy, params: {id: user_group.to_param}, session: valid_session
-      expect(response).to redirect_to(user_groups_url)
-    end
-  end
-
 end

spec/controllers/users_controller_spec.rb

+# frozen_string_literal: true
+require 'rails_helper'
+
+RSpec.describe UsersController, type: :request do
+  let(:steve) { create(:user, first_name: 'Steve')}
+  let(:john) { create(:user, first_name: 'Jonh') }
+  let(:newguy) { create(:user, first_name: 'Unconfirmed')}
+  describe 'GET index' do
+    before do
+      john.confirm
+      steve.confirm
+    end
+
+    context 'with authenticated user' do
+      it 'returns confirmed users' do
+        # force lazy evaluation of let to build users
+        newguy
+        @auth_headers = john.create_new_auth_token
+        get "/users.json", headers: @auth_headers
+        expect(response.header['Content-Type']).to include('application/json')
+        body = JSON.parse(response.body)
+        expect(body[0]["id"]).to eq(john.id)
+        expect(body[1]["id"]).to eq(steve.id)
+        expect(body.length).to eq(2) #does not have newguy
+      end
+    end
+    context 'without sign-in' do
+      it 'returns unauthorized' do
+        get "/users.json"
+        expect(response.status).to eq(401)
+      end
+    end
+  end
+end